Abstract
Botnet has become one of the serious threats to the Internet ecosystem, and botnet detection is crucial for tracking and mitigating network threats on the Internet. In the evolution of emerging botnets, peer-to-peer (P2P) botnets are more dangerous and resistant because of their distributed characteristics. Among them, unstructured P2P botnets use custom protocols for communication, which can be integrated with legitimate P2P traffic. Moreover, their topological structure is more complex, and a complete topology cannot be obtained easily, making them more concealed and difficult to detect. The bot itself is a kind of overlay network, and research shows that the nodes with shared neighbors usually belong to a certain community. Aiming at unstructured P2P botnets and exploiting complex network theory, from the perspective of shared neighbor nodes, this article proposes a botnet detection framework called Peertrap based on self-avoiding random walks (SAW) community detection under the condition of incomplete topological information. Firstly, network traffic is converted into Netflow, by utilizing Apache Flink big data platform. Also, a P2P traffic cluster feature extraction rule is proposed for distinguishing P2P traffic from non-P2P traffic, and it is formulated by using the upstream and downstream traffic and address distribution threshold features. Then, the confidence between P2P clusters is calculated by the Jaccard coefficient to construct a shared neighbor graph, and the same type of P2P communities are mined by hierarchical clustering using SAW algorithm combined with PCA. Finally, two community attributes, mean address distribution degree and mean closeness degree, are used to distinguish botnets. Experiments are conducted on three unstructured P2P botnets datasets, Sality, Kelihos, and ZeroAccess, and the CTU classic datasets, and then good detection results can be achieved. The framework overcomes one of the most critical P2P botnet detection challenges. It can detect P2P bots with high accuracy in the presence of legitimate P2P traffic, incomplete information network topology, and C&C channel encryption. Our method embodies the typical application of complex network theory in botnet detection field, and it can detect botnets from different families in the network, with good parallelism and scalability.
Highlights
Botnet is an overlay network for malicious activities, which is formed by many hosts infected by bot’s programs and controlled by Botmasters [1, 2]
Traditional centralized command and control (C&C) architecture and the HTTP protocol–based architecture are easy to be traced and dismantled by security guards. e evolution of botnet is featured with platform diversification, communication concealment, intelligent control, etc. e distributed botnet architecture based on P2P protocol can very well solve the problem of single-point failure, and its function, structure, and hiding techniques has been greatly improved
For the unstructured P2P scenario, it is assumed that under the incomplete information topology, hosts in botnets are not directly connected with each other, they should at least share the same communication partners [26]. e research shows that the nodes with shared neighbors usually belong to a certain community. erefore, based on the theory of complex networks community detection, this paper proposes a botnet detection framework called Peertrap, based on self-avoiding random walks (SAW) algorithm
Summary
Botnet is an overlay network for malicious activities, which is formed by many hosts (bot or zombies) infected by bot’s programs and controlled by Botmasters [1, 2]. Unstructured P2P botnet has good flexibility, scalability, robustness, better concealment and intelligence, and more complex topology It can be integrated with legitimate P2P traffic and is not easy to be tracked and measured. Based on Kademlia [21] or Chord [22], this coverage can be inferred from the stream data by using the topological structure hidden in the communication relationship between bots. Such methods usually assume that the complete communication in botnets is known, so they are not suitable for detecting unstructured P2P botnets. E organizational structure of this paper is as follows. e second part introduces the typical unstructured P2P botnets and the current situation of detection technology. e third part describes the basic principles and specific processes of the proposed framework. e fourth part expounds the experimental analysis and verification. e fifth part summarizes the full text
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
